b"OFFICE OF           Report of Evaluation \n\nINSPECTOR GENERAL\n                              OIG 2011 Evaluation of the\n                             Farm Credit Administration\xe2\x80\x99s\n                                     Compliance with the\n                             Federal Information Security\n                                        Management Act\n\n                                     November 15, 2011\n\n\n                            E-11-01\n\n                          Tammy Rapp\n                        Auditor-in-Charge\n\n\n\n\n                    FARM CREDIT ADMINISTRATION\n\x0cMemo\n   orandum                                                              Office of Inspector General\n                                                                        1501 Farm Cre  edit Drive\n                                                                        McLean, Virginnia 22102-509 90\n\n\n\n\nNovemb\n     ber 15, 2011\n\n\nThe Hon\n      norable Lelan nd A. Strom, Chairman an\n                                           nd Chief Exe\n                                                      ecutive Office\n                                                                   er\nThe Hon\n      norable Kenn  neth A. Spearman, Board Member\nThe Hon\n      norable Jill Lo\n                    ong Thompso on, Board Me\n                                           ember\nFarm Crredit Adminisstration\n1501 Fa\n      arm Credit Drrive\nMcLean, Virginia 22102-5090\n\nDear Ch\n      hairman Strom\n                  m and Board\n                            d Members Spearman and Long Thom\n                                                           mpson:\n\nThe Offic\n        ce of the Insppector Generral completed\n                                              d the 2011 in\n                                                          ndependent evaluation off the Farm Crredit\nAdministtration\xe2\x80\x99s com\n                    mpliance with the Federal Information Security Man\n                                                                     nagement Acct (FISMA). The\nobjective\n        es of this eva\n                     aluation were\n                                 e to perform an independeent assessmeent of FCA\xe2\x80\x99s information\nsecurity program and d assess FCA A\xe2\x80\x99s complian\n                                             nce with FISMMA.\n\nThe results of our evvaluation reve\n                                  ealed that FC CA has an eff\n                                                            ffective inform\n                                                                          mation securiity program, and\nwe did not identify an\n                     ny significantt deficiencies\n                                                s in the Agency\xe2\x80\x99s informattion security program.\n\nWe apprreciate the co\n                    ourtesies and d professiona\n                                              alism extend\n                                                         ded to the evaaluation stafff. If you have any\n       ns about this evaluation, I would be ple\nquestion                                      eased to meeet with you a\n                                                                      at your convenience.\n\nRespecttfully,\n\n\n\n\nCarl A. Clinefelter\nInspectoor General\n\x0cFarm Credit Administration\n\nOffice of Inspector General \n\n                                November 15, 2011\n                                                    1\n\x0c\xef\x82\xa7    Introduction and Background\n\xef\x82\xa7    Objectives, Scope, and Methodology\n\xef\x82\xa7    Overall Conclusion\n\xef\x82\xa7    Areas Evaluated by Offices of Inspector General (OIG) During FY 2011\n    1.  Risk Management\n    2. Configuration Management\n    3. Incident Response and Reporting\n    4. Security Training\n    5. Plans of Actions and Milestones (POA&M)\n    6. Remote Access Management\n    7. Identity and Access Management\n    8. Continuous Monitoring Management\n    9. Contingency Planning\n    10. Contractor Systems\n    11. Security Capital Planning\n\xef\x82\xa7    Appendix A: IG Section Report for Office of Management and Budget (OMB)\n\n\n\n                          Report #E-11-01 OIG Evaluation: FISMA 2011           2\n\x0c\xef\x82\xa1   The President signed into law the E-Government Act (Public Law 107-347), which includes\n    Title III, Information Security, on December 17, 2002. Title III permanently reauthorized the\n    Government Information Security Reform Act of 2000 and renamed it the Federal\n    Information Security Management Act (FISMA) of 2002. The purpose of FISMA was to\n    strengthen the security of the Federal government\xe2\x80\x99s information systems and develop\n    minimum standards for agency systems.\n\xef\x82\xa1   FISMA requires an agency\xe2\x80\x99s Chief Information Officer (CIO) and OIG to conduct annual\n    assessments of the agency\xe2\x80\x99s information security program.\n\xef\x82\xa1   OMB issued Memorandum M-11-33, FY 2011 Reporting Instructions for the FISMA and\n    Agency Privacy Management, on September 14, 2011. This memorandum provides\n    instructions for complying with FISMA\xe2\x80\x99s annual reporting requirements and reporting on\n    the agency\xe2\x80\x99s privacy management program.\n\xef\x82\xa1   Results of the CIO and OIG assessments are reported to the OMB thru CyberScope.\n\xef\x82\xa1   Appendix A contains the IG Section Report as submitted to OMB thru CyberScope.\n\n\n\n\n                         Report #E-11-01 OIG Evaluation: FISMA 2011                                 3\n\x0c\xef\x82\xa1   The objectives of this evaluation were to perform an independent assessment of the Farm\n    Credit Administration\xe2\x80\x99s (FCA or Agency) information security program and assess FCA\xe2\x80\x99s\n    compliance with FISMA.\n\xef\x82\xa1   The scope of this evaluation covered FCA\xe2\x80\x99s Agency-owned and contractor operated\n    information systems of record as of September 30, 2011. FCA is a single program Agency\n    with seven mission critical systems and major applications.\n\xef\x82\xa1   The evaluation covered the eleven areas identified by OMB for OIGs to evaluate.\n\xef\x82\xa1   Key criteria used to evaluate FCA\xe2\x80\x99s information security program and compliance with\n    FISMA included OMB guidance, National Institute of Standards and Technology (NIST)\n    Special Publications (SP), and Federal Information Processing Standards Publications\n    (FIPS).\n\xef\x82\xa1   In performing this evaluation, we performed the following steps:\n    \xef\x82\xa7   Identified and reviewed Agency policies and procedures related to information security;\n    \xef\x82\xa7   Examined documentation relating to the Agency\xe2\x80\x99s information security program and compared to NIST standards\n        and FCA policy;\n    \xef\x82\xa7   Conducted interviews with the CIO, IT Security Specialist, Technology Team Leader, Applications Team Leaders, and\n        several IT Specialists;\n    \xef\x82\xa7   Built on our understanding from past FISMA evaluations;\n    \xef\x82\xa7   Observed security related activities performed by Agency personnel; and\n    \xef\x82\xa7   Performed tests for a subset of controls.\n\n\n\n                               Report #E-11-01 OIG Evaluation: FISMA 2011                                                   4\n\x0c\xef\x82\xa1   This evaluation represents the status of the information security program as of\n    September 30, 2011, and did not include a test of all information security controls.\n\xef\x82\xa1   The evaluation was performed at FCA Headquarters in McLean, Virginia, from\n    September 2011 through November 2011.\n\xef\x82\xa1   Observations and results were shared with key information technology (IT) personnel\n    throughout the evaluation. On November 4, 2011, the CIO and OIG shared and discussed\n    drafts of their respective FISMA section reports.\n\xef\x82\xa1   An exit conference was conducted with management officials on November 10, 2011.\n\xef\x82\xa1   This evaluation was performed in accordance with the Council of the Inspectors General on\n    Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation.\n\n\n\n\n                        Report #E-11-01 OIG Evaluation: FISMA 2011                              5\n\x0cFCA has an effective information security program that continues to mature and contains the\nfollowing elements:\n   \xef\x82\xa7   Information security policies and procedures\n   \xef\x82\xa7   Capital planning and investment process that incorporates information security requirements\n   \xef\x82\xa7   Risk based approach to information security\n   \xef\x82\xa7   Systems categorized based on risk\n   \xef\x82\xa7   Security plans that are reviewed and revised regularly\n   \xef\x82\xa7   Risk based security controls implemented\n   \xef\x82\xa7   Security authorization process\n   \xef\x82\xa7   Common security configuration\n   \xef\x82\xa7   Continuous monitoring\n   \xef\x82\xa7   Security awareness and training program\n   \xef\x82\xa7   Continuity of operations plan and tests\n   \xef\x82\xa7   Incident response program\n   \xef\x82\xa7   Oversight of contractor systems\n\n\n\n\n                             Report #E-11-01 OIG Evaluation: FISMA 2011                              6\n\x0c\xef\x82\xa1   Engaged CIO, and experienced and well trained IT team\n\xef\x82\xa1   CIO and IT team are proactive in their approach to information security\n\xef\x82\xa1   The IT team was very responsive to minor suggestions made for improvement during the\n    FISMA evaluation, and in many cases, the IT staff made immediate changes to strengthen\n    the information security program where possible.\n\xef\x82\xa1   Of the 11 areas OMB required OIGs to evaluate during 2011, FCA has established a program\n    in each of the areas that is consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s guidelines.\n\xef\x82\xa1   In FY 2010, there was 1 area that needed improvement and resulted in an agreed-upon\n    action to develop an implementation plan for the United States Government Configuration\n    Baseline (USGCB). FCA made significant progress during FY 2011 to research, test,\n    implement, and document deviations from the USGCB. The CIO plans to be in compliance\n    with the USGCB by June 29, 2012.\n\n\n\n\n                        Report #E-11-01 OIG Evaluation: FISMA 2011                             7\n\x0cFCA established and maintained a risk management program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines. The risk management program\nincludes the following attributes:\n   \xef\x82\xa7   Policy that general support system and major applications will operate with proper accreditation and undergo\n       reauthorization every 3 years or when a major system change occurs\n   \xef\x82\xa7   Addresses risk from organization, mission, business, and information system perspectives\n   \xef\x82\xa7   Information systems categorized based on FIPS 199 and SP 800-60\n   \xef\x82\xa7   Security plans based on risk that identify minimum baseline controls selected, documented, and implemented\n   \xef\x82\xa7   Periodic assessments of controls through a combination of continuous monitoring, self-assessments, independent\n       penetration tests, and security certifications\n   \xef\x82\xa7   Authorizing official considers items identified during the certification process and ensures appropriate action will be\n       taken before signing the \xe2\x80\x9cAuthorization to Operate\xe2\x80\x9d\n   \xef\x82\xa7   Regular communications with senior management\n\n\n\n\n                              Report #E-11-01 OIG Evaluation: FISMA 2011                                                         8\n\x0cThe Agency established and is maintaining a configuration management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines. FCA\xe2\x80\x99s\nsecurity configuration management program includes the following attributes:\n    \xef\x82\xa7   Documented policies and procedures for configuration management\n    \xef\x82\xa7   Standard baseline configuration for workstations and servers\n    \xef\x82\xa7   Regular scanning for compliance and vulnerabilities within the baseline configuration\n    \xef\x82\xa7   Timely remediation of identified vulnerabilities\n    \xef\x82\xa7   Process for timely and secure installation of software patches\n    \xef\x82\xa7   Monitors and analyzes critical security alerts to determine potential impact to FCA systems\nAs a result of the OIG evaluation during FY 2010, FCA developed an implementation plan to\nassist in achieving compliance with the USGCB. FCA made significant progress during FY 2011\nand has implemented over 70% of USGCB settings on user workstations.\n\n\n\n\n                               Report #E-11-01 OIG Evaluation: FISMA 2011                             9\n\x0cThe Agency has established and is maintaining an incident response and reporting program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines. The\nincident response and reporting program includes the following attributes:\n   \xef\x82\xa7   Documented policies and procedures, security awareness training and articles, and a 24 hour Helpline for incidents\n       available to employees needing incident assistance.\n   \xef\x82\xa7   Agency staff must report within one hour to the OMS Helpline any IT equipment, personally identifiable information\n       (PII), or sensitive information that is suspected to be missing, lost, or stolen.\n   \xef\x82\xa7   During FY 2011, FCA had the following types of incidents:\n       \xe2\x96\xaa   Malware on laptops\n       \xe2\x96\xaa   Unauthorized computers connected to the network\n       \xe2\x96\xaa   Unauthorized USB devices\n       \xe2\x96\xaa   Phishing email attempts\n       \xe2\x96\xaa   Misplaced or lost HSPD 12 cards, smart phones, USB drives, and laptops (Several lost items were recovered.)\n   \xef\x82\xa7   An analysis was performed for each incident before responding appropriately and timely to minimize further damage.\n   \xef\x82\xa7   A log was maintained of security incidents, and appropriate officials were notified depending on the nature of the\n       incident.\n\n\n\n\n                                 Report #E-11-01 OIG Evaluation: FISMA 2011                                                 10\n\x0cThe Agency has established and is maintaining a security training program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines. The security training\nprogram includes the following attributes:\n    \xef\x82\xa7   Mandatory annual security awareness training for employees and contractors using small group sessions\n        \xe2\x96\xaa   Revisions to significant security policy\n        \xe2\x96\xaa   Employee and contractor responsibilities\n        \xe2\x96\xaa   Safeguard PII and sensitive information from unauthorized disclosure\n        \xe2\x96\xaa   Modifications to hardware and software require CIO approval\n        \xe2\x96\xaa   Protect laptop and passwords\n        \xe2\x96\xaa   Suspicious email and phishing attempts\n        \xe2\x96\xaa   Prohibited activities\n        \xe2\x96\xaa   Incident reporting\n    \xef\x82\xa7   Security training presentation at new employee orientation\n    \xef\x82\xa7   New employees and contractors required to certify they have read and understood FCA\xe2\x80\x99s computer security policies\n        and responsibilities\n    \xef\x82\xa7   Ongoing awareness program that includes e-mails and news alerts with security tips and notices of new threats\n    \xef\x82\xa7   Individual development plan (IDP) process used to identify specialized training for users with significant security\n        responsibilities\n    \xef\x82\xa7   Identification and tracking of employees requiring mandatory and specialized security training\n\n\n\n\n                                  Report #E-11-01 OIG Evaluation: FISMA 2011                                                  11\n\x0cThe Agency has established and is maintaining a POA&M program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines and tracks and monitors\nknown information security weaknesses. The POA&M program includes the following\nattributes:\n   \xef\x82\xa7   Policy for developing plans of action and milestones\n   \xef\x82\xa7   Process for developing plans of corrective action for significant information security weaknesses and tracking their\n       implementation\n   \xef\x82\xa7   Compensating controls currently in place until outstanding items are remediated\n\n\n\n\n                              Report #E-11-01 OIG Evaluation: FISMA 2011                                                      12\n\x0cThe Agency has established and is maintaining a remote access program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines. The remote access program\nincludes the following attributes:\n   \xef\x82\xa7   Policies and procedures for authorizing, monitoring, and controlling all methods of remote access\n   \xef\x82\xa7   Virtual private network (VPN) for secure encrypted transmission of data outside of the Agency\xe2\x80\x99s network\n   \xef\x82\xa7   Encryption on local hard drives and USB drives to protect sensitive data and PII\n   \xef\x82\xa7   Forced encryption when creating CDs and DVDs\n   \xef\x82\xa7   Security policy and device management for Agency smart phones and authorized personal devices\n   \xef\x82\xa7   Remote contractor access for diagnostic purposes tightly controlled and closely supervised by IT staff\n\n\n\n\n                             Report #E-11-01 OIG Evaluation: FISMA 2011                                          13\n\x0cThe Agency has established and is maintaining an identity and access management program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines and\nidentifies users and network devices. The account and identity management program includes\nthe following attributes:\n   \xef\x82\xa7   Documented policies and procedures for requesting, issuing, and closing information system accounts\n   \xef\x82\xa7   Identifies and authenticates information system users before allowing access\n   \xef\x82\xa7   Detects unauthorized devices and disables connectivity\n   \xef\x82\xa7   Dual-factor authentication\n   \xef\x82\xa7   Information system accounts created, managed, monitored, and disabled by authorized personnel\n   \xef\x82\xa7   Periodic review of information system accounts to ensure access permissions provided to users is current and\n       appropriate\n   \xef\x82\xa7   Controls to prevent, detect, or notify authorized personnel of suspicious account activity or devices\n\n\n\n\n                             Report #E-11-01 OIG Evaluation: FISMA 2011                                               14\n\x0cThe Agency has established an enterprise-wide continuous monitoring program that assesses\nthe security state of information systems that is consistent with FISMA requirements, OMB\npolicy, and applicable NIST guidelines. The continuous monitoring program includes the\nfollowing attributes:\n   \xef\x82\xa7   Continuous monitoring strategy reflected in Infrastructure Security Plan and Management Control Plan\n   \xef\x82\xa7   Malicious code protection\n   \xef\x82\xa7   Vulnerability scanning\n   \xef\x82\xa7   Log monitoring\n   \xef\x82\xa7   Notification of unauthorized devices\n   \xef\x82\xa7   Notification of changes or additions to sensitive accounts\n   \xef\x82\xa7   Ongoing monitoring of security alerts and updates from vendors and appropriate action in response\n   \xef\x82\xa7   Commitment to annual independent penetration test\n\n\n\n\n                             Report #E-11-01 OIG Evaluation: FISMA 2011                                       15\n\x0cThe Agency established and is maintaining an enterprise-wide business continuity/disaster\nrecovery program that is consistent with FISMA requirements, OMB policy, and applicable\nNIST guidelines. The contingency planning program includes the following attributes:\n   \xef\x82\xa7   Business continuity plan and disaster recovery plan periodically updated to support the restoration of operations and\n       systems after a disruption or failure\n   \xef\x82\xa7   Alternative processing site and essential systems successfully activated during a government wide test\n   \xef\x82\xa7   Backup strategy includes daily and weekly backups of data and systems\n   \xef\x82\xa7   Three off-site storage facilities for backups\n   \xef\x82\xa7   Disaster recovery kit maintained offsite that contains critical software needed to recreate systems\n   \xef\x82\xa7   Employee notification system used to alert employees of office closing and other events\n\n\n\n\n                              Report #E-11-01 OIG Evaluation: FISMA 2011                                                       16\n\x0cThe Agency has established and maintains a program to oversee systems operated on its\nbehalf by contractors or other entities, including Agency systems and services residing in the\ncloud external to the Agency. The contractor system oversight program includes the following\nattributes:\n    \xef\x82\xa7   Written agreements for all contractor systems and interconnections\n    \xef\x82\xa7   Updates inventory of contractor systems and interconnections annually\n    \xef\x82\xa7   Reviews and updates security plans for contractor systems annually\n    \xef\x82\xa7   Performed due diligence reviews and monitored security controls for outsourced systems\n    \xef\x82\xa7   Performed site visits to review security documentation and verify financial and personnel system providers employed\n        adequate security measures to protect information, applications, and services\n    \xef\x82\xa7   Periodically reviewed user accounts and privileges\n\n\n\n\n                              Report #E-11-01 OIG Evaluation: FISMA 2011                                                      17\n\x0cThe Agency has established and maintains a security capital planning and investment program\nfor information security. The program includes the following attributes:\n   \xef\x82\xa7   Policies and procedures that stress importance of information security and protecting sensitive information\n   \xef\x82\xa7   Capital planning and investment process that incorporates information security requirements\n   \xef\x82\xa7   Enterprise architecture that ensures IT investments support core business functions and provides security standards\n\n\n\n\n                             Report #E-11-01 OIG Evaluation: FISMA 2011                                                      18\n\x0c                                                     Appendix A\n\n\n\n\nInspector General                              2011\n                                              Annual FISMA\n                                                 Report\nSection Report\n\n\n\n\n                 Farm Credit Administration\n\x0c                                                                                                                                              Appendix A\nSection 1: Risk Management\n1a.      The Agency has established and is maintaining a risk management program that is consistent with FISMA requirements, OMB policy,\n         and applicable NIST guidelines. Although improvement opportunities may have been identified by the OIG, the program includes the\n         following attributes:\n        1.a(1).    Documented and centrally accessible policies and procedures for risk management, including descriptions of the roles and\n                   responsibilities of participants in this process.\n                    Yes\n        1.a(2).    Addresses risk from an organization perspective with the development of a comprehensive governance structure and\n                   organization-wide risk management strategy as described in NIST 800-37, Rev.1\n                    Yes\n        1.a(3).    Addresses risk from a mission and business process perspective and is guided by the risk decisions at the organizational\n                   perspective, as described in NIST 800-37, Rev.1.\n                    Yes\n        1.a(4).    Addresses risk from an information system perspective and is guided by the risk decisions at the organizational perspective\n                   and the mission and business perspective, as described in NIST 800-37, Rev. 1.\n                    Yes\n        1.a(5).    Categorizes information systems in accordance with government policies.\n                    Yes\n        1.a(6).    Selects an appropriately tailored set of baseline security controls.\n                    Yes\n        1.a(7).    Implements the tailored set of baseline security controls and describes how the controls are employed within the information\n                   system and its environment of operation.\n                    Yes\n        1.a(8).    Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are\n                   implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security\n                   requirements for the system.\n                    Yes\n        1.a(9).    Authorizes information system operation based on a determination of the risk to organizational operations and assets,\n                   individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that\n\nOIG Report - Annual 2011                                                                                                                                   Page 1 of 10\n                                                                            For Official Use Only\n\x0c                                                                                                                                                  Appendix A\nSection 1: Risk Management\n                   this risk is acceptable.\n                    Yes\n        1.a(10).   Ensures information security controls are monitored on an ongoing basis including assessing control effectiveness,\n                   documenting changes to the system or its environment of operation, conducting security impact analyses of the associated\n                   changes, and reporting the security state of the system to designated organizational officials.\n                    Yes\n        1.a(11).   Information system specific risks (tactical), mission/business specific risks and organizational level (strategic) risks are\n                   communicated to appropriate levels of the organization.\n                    Yes\n        1.a(12).   Senior Officials are briefed on threat activity on a regular basis by appropriate personnel. (e.g., CISO).\n                    Yes\n        1.a(13).   Prescribes the active involvement of information system owners and common control providers, chief information officers,\n                   senior information security officers, authorizing officials, and other roles as applicable in the ongoing management of\n                   information system-related security risks.\n                    Yes\n        1.a(14).   Security authorization package contains system security plan, security assessment report, and POA&M in accordance with\n                   government policies.\n                    Yes\n\nSection 2: Configuration Management\n2.a.     The Agency has established and is maintaining a security configuration management program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may have been identified by the\n         OIG, the program includes the following attributes:\n        2.a(1).    Documented policies and procedures for configuration management.\n                    Yes\n        2.a(2).    Standard baseline configurations defined.\n                    Yes\n        2.a(3).    Assessing for compliance with baseline configurations.\n\nOIG Report - Annual 2011                                                                                                                                       Page 2 of 10\n                                                                            For Official Use Only\n\x0c                                                                                                                                             Appendix A\nSection 2: Configuration Management\n                    Yes\n        2.a(4).    Process for timely, as specified in Agency policy or standards, remediation of scan result deviations.\n                    Yes\n        2.a(5).    For Windows-based components, FDCC/USGCB secure configuration settings fully implemented and any deviations from\n                   FDCC/USGCB baseline settings fully documented.\n                    No\n                                     Comments:      Although FDCC/USGCB secure configuration settings are not fully implemented, FCA has made significant\n                                                    progress in the past year.\n\n                                                    FCA's current USGCB status:\n                                                    - implemented over 70% of USGCB settings;\n                                                    - continues to research and test outstanding settings; and\n                                                    - documented and approved 17 deviations by the CIO.\n        2.a(6).    Documented proposed or actual changes to hardware and software configurations.\n                    Yes\n        2.a(7).    Process for timely and secure installation of software patches.\n                    Yes\n\nSection 3: Incident Response and Reporting\n3a.      The Agency has established and is maintaining an incident response and reporting program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may have been identified by the\n         OIG, the program includes the following attributes:\n        3a(1).     Documented policies and procedures for detecting, responding to and reporting incidents.\n                    Yes\n        3a(2).     Comprehensive analysis, validation and documentation of incidents.\n                    Yes\n        3a(3).     When applicable, reports to US-CERT within established timeframes.\n\n\nOIG Report - Annual 2011                                                                                                                                    Page 3 of 10\n                                                                            For Official Use Only\n\x0c                                                                                                                                                 Appendix A\nSection 3: Incident Response and Reporting\n                    Yes\n        3a(4).     When applicable, reports to law enforcement within established timeframes.\n                    Yes\n        3a(5).     Responds to and resolves incidents in a timely manner, as specified in Agency policy or standards, to minimize further\n                   damage.\n                    Yes\n        3a(6).     Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n                    Yes\n        3a(7).     Is capable of correlating incidents.\n                    Yes\n\nSection 4: Security Training\n4.a.     The Agency has established and is maintaining a security training program that is consistent with FISMA requirements, OMB policy,\n         and applicable NIST guidelines. Although improvement opportunities may have been identified by the OIG, the program includes the\n         following attributes:\n        4.a(1).    Documented policies and procedures for security awareness training.\n                    Yes\n        4.a(2).    Documented policies and procedures for specialized training for users with significant information security responsibilities.\n                    Yes\n        4.a(3).    Security training content based on the organization and roles, as specified in Agency policy or standards.\n                    Yes\n        4.a(4).    Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and\n                   other Agency users) with access privileges that require security awareness training.\n                    Yes\n        4.a(5).    Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other\n                   Agency users) with significant information security responsibilities that require specialized training.\n                    Yes\nOIG Report - Annual 2011                                                                                                                                      Page 4 of 10\n                                                                           For Official Use Only\n\x0c                                                                                                                                             Appendix A\nSection 4: Security Training\n\nSection 5: POA&M\n5.a.     The Agency has established and is maintaining a POA&M program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines and tracks and monitors known information security weaknesses. Although improvement opportunities may\n         have been identified by the OIG, the program includes the following attributes:\n        5.a(1).    Documented policies and procedures for managing IT security weaknesses discovered during security control assessments\n                   and requiring remediation.\n                    Yes\n        5.a(2).    Tracks, prioritizes and remediates weaknesses.\n                    Yes\n        5.a(3).    Ensures remediation plans are effective for correcting weaknesses.\n                    Yes\n        5.a(4).    Establishes and adheres to milestone remediation dates.\n                    Yes\n        5.a(5).    Ensures resources are provided for correcting weaknesses.\n                    Yes\n        5.a(6).    Program officials and contractors report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO\n                   centrally tracks, maintains, and independently reviews/validates the POA&M activities at least quarterly.\n                    Yes\n\nSection 6: Remote Access Management\n6.a.     The Agency has established and is maintaining a remote access program that is consistent with FISMA requirements, OMB policy,\n         and applicable NIST guidelines. Although improvement opportunities may have been identified by the OIG, the program includes the\n         following attributes:\n        6.a(1).    Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access.\n                    Yes\n        6.a(2).    Protects against unauthorized connections or subversion of authorized connections.\n\nOIG Report - Annual 2011                                                                                                                                  Page 5 of 10\n                                                                         For Official Use Only\n\x0c                                                                                                                                            Appendix A\nSection 6: Remote Access Management\n                    Yes\n        6.a(3).    Users are uniquely identified and authenticated for all access.\n                    Yes\n        6.a(4).    If applicable, multi-factor authentication is required for remote access.\n                    Yes\n        6.a(5).    Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including\n                   strength mechanisms.\n                    Yes\n        6.a(6).    Defines and implements encryption requirements for information transmitted across public networks.\n                    Yes\n        6.a(7).    Remote access sessions, in accordance to OMB M-07-16, are timed-out after 30 minutes of inactivity after which\n                   re-authentication are required.\n                    Yes\n\nSection 7: Identity and Access Management\n7.a.     The Agency has established and is maintaining an identity and access management program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices. Although improvement\n         opportunities may have been identified by the OIG, the program includes the following attributes:\n        7.a(1).    Documented policies and procedures for account and identity management.\n                    Yes\n        7.a(2).    Identifies all users, including federal employees, contractors, and others who access Agency systems.\n                    Yes\n        7.a(3).    Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n                    Yes\n        7.a(4).    If multi-factor authentication is in use, it is linked to the Agency's PIV program where appropriate.\n                    Yes\n\nOIG Report - Annual 2011                                                                                                                                 Page 6 of 10\n                                                                           For Official Use Only\n\x0c                                                                                                                                                Appendix A\nSection 7: Identity and Access Management\n        7.a(5).    Ensures that the users are granted access based on needs and separation of duties principles.\n                    Yes\n        7.a(6).    Identifies devices that are attached to the network and distinguishes these devices from users.\n                    Yes\n        7.a(7).    Ensures that accounts are terminated or deactivated once access is no longer required.\n                    Yes\n        7.a(8).    Identifies and controls use of shared accounts.\n                    Yes\n\nSection 8: Continuous Monitoring Management\n8.a.     The Agency has established an enterprise-wide continuous monitoring program that assesses the security state of information systems\n         that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may\n         have been identified by the OIG, the program includes the following attributes:\n        8.a(1).    Documented policies and procedures for continuous monitoring.\n                    Yes\n        8.a(2).    Documented strategy and plans for continuous monitoring.\n                    Yes\n        8.a(3).    Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the\n                   approved continuous monitoring plans.\n                    Yes\n        8.a(4).    Provides authorizing officials and other key system officials with security status reports covering updates to security plans and\n                   security assessment reports, as well as POA&M additions and updates with the frequency defined in the strategy and/or\n                   plans.\n                    Yes\n\nSection 9: Contingency Planning\n9.a.     The Agency established and is maintaining an enterprise-wide business continuity/disaster recovery program that is consistent with\n\nOIG Report - Annual 2011                                                                                                                                     Page 7 of 10\n                                                                           For Official Use Only\n\x0c                                                                                                                                              Appendix A\nSection 9: Contingency Planning\n         FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may have been identified by\n         the OIG, the program includes the following attributes:\n        9.a(1).    Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the\n                   impact of a disruptive event or disaster.\n                    Yes\n        9.a(2).    The Agency has performed an overall Business Impact Analysis (BIA).\n                    Yes\n        9.a(3).    Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures.\n                    Yes\n        9.a(4).    Testing of system specific contingency plans.\n                    Yes\n        9.a(5).    The documented business continuity and disaster recovery plans are in place and can be implemented when necessary.\n                    Yes\n        9.a(6).    Development of test, training, and exercise (TT&E) programs.\n                    Yes\n        9.a(7).    Performance of regular ongoing testing or exercising of business continuity/disaster recovery plans to determine effectiveness\n                   and to maintain current plans.\n                    Yes\n\nSection 10: Contractor Systems\n10.a.    The Agency has established and maintains a program to oversee systems operated on its behalf by contractors or other entities,\n         including Agency systems and services residing in the cloud external to the Agency. Although improvement opportunities may have\n         been identified by the OIG, the program includes the following attributes:\n        10.a(1).   Documented policies and procedures for information security oversight of systems operated on the Agency's behalf by\n                   contractors or other entities, including Agency systems and services residing in public cloud.\n                    Yes\n        10.a(2).   The Agency obtains sufficient assurance that security controls of such systems and services are effectively implemented and\n\nOIG Report - Annual 2011                                                                                                                                   Page 8 of 10\n                                                                          For Official Use Only\n\x0c                                                                                                                                             Appendix A\nSection 10: Contractor Systems\n                   comply with federal and Agency guidelines.\n                    Yes\n        10.a(3).   A complete inventory of systems operated on the Agency's behalf by contractors or other entities, including Agency systems\n                   and services residing in public cloud.\n                    Yes\n        10.a(4).   The inventory identifies interfaces between these systems and Agency-operated systems.\n                    Yes\n        10.a(5).   The Agency requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for\n                   interfaces between these systems and those that it owns and operates.\n                    Yes\n        10.a(6).   The inventory of contractor systems is updated at least annually.\n                    Yes\n        10.a(7).   Systems that are owned or operated by contractors or entities, including Agency systems and services residing in public cloud,\n                   are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.\n                    Yes\n\nSection 11: Security Capital Planning\n11.a.    The Agency has established and maintains a security capital planning and investment program for information security. Although\n         improvement opportunities may have been identified by the OIG, the program includes the following attributes:\n        11.a(1).   Documented policies and procedures to address information security in the capital planning and investment control process.\n                    Yes\n        11.a(2).   Includes information security requirements as part of the capital planning and investment process.\n                    Yes\n        11.a(3).   Establishes a discrete line item for information security in organizational programming and documentation.\n                    Yes\n        11.a(4).   Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required.\n                    Yes\nOIG Report - Annual 2011                                                                                                                                  Page 9 of 10\n                                                                          For Official Use Only\n\x0c                                                                                                           Appendix A\nSection 11: Security Capital Planning\n        11.a(5).   Ensures that information security resources are available for expenditure as planned.\n                    Yes\n\n\n\n\nOIG Report - Annual 2011                                                                                                Page 10 of 10\n                                                                         For Official Use Only\n\x0c"